Office (OOXML) / .DOC malware analysis — malicious · 7b0fd15e81437201

MALICIOUS

Office (OOXML) / .DOC

121.7 KB Created: 2023-09-02 09:41:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-09-13

MD5: 2c335abe20f6cc994c0822507fc50446 SHA-1: aa3f761c4eb3279d16c63e66dc4933c90fbd7f22 SHA-256: 7b0fd15e81437201b02ab8231cdac5f2cfc357b704c4b790da078fce69492fbe

82 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link

The document contains heuristics indicating remote template injection and an external relationship, suggesting it's designed to pull content from an external source. The embedded URL 'https://mub.me/iYBt' is likely used to host a malicious payload or exploit. An embedded OLE object was also detected, which could contain further malicious content or exploit code.

Heuristics 4

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://mub.me/iYBt) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: https://mub.me/iYBt
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://mub.me/iYBt

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `c600fab7b32c6c108dad586fce3e15cf04274d8c14c45cbf3783a290a447d6b0`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx	25979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.